Main Menu
Data Processing Agreement
This Data Processing Agreement was last revised on, and effective as of, May 9, 2024.
This Data Processing Addendum (“DPA“) supplements the ScreenPal Terms of Service (“TOS”) found here and entered into between Big Nerd Software, LLC dba ScreenPal (“ScreenPal“) and you (the “Customer”) in relation to the transfer and Processing of Customer Personal Data in connection with the provision of the Services.
Definitions
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement and the following capitalized terms used inthis DPA will be defined as follows:
“Adequate Jurisdiction” means the UK, EEA, Switzerland or a country or territory deemed to provide adequate protection for the rights and freedoms of individuals, as set out in:
· the Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018;
· a decision of the European Commission; or
· a decision of the Swiss Federal Council as listed in Annex 1 to the Ordinance (as amended from time to time).
“Administration Data” means
· contact details relating to, and the content of correspondence with the Customer’s main account holder or administrator; and
· support enquiries submitted by the Customer’s authorized users in relation to the Services.
“Agreement” means the agreement between Customer and ScreenPal in relation to the provision of the Services, comprising the terms of service at https://screenpal.com/tos or as otherwise agreed between the parties.
“Authorized Subprocessors” means the Subprocessors listed at https://ScreenPal.com/privacy/subprocessors, as amended from time to time in accordance with the section headed “Subprocessing” below.
“EEA” means the member states of the European Union and Iceland, Liechtenstein, Norway.
“Effective Date” means the later of: (a) the date the Customer enters into the Agreement; and (b) the date first written above.
“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as defined in section 3 of the Data Protection Act 2018.
“Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Controller Purposes” means: (i) monitoring the performance the Services, and identifying and repairing errors that impair existing functionality of the Services; (ii) facilitating the security and integrity of the Services, including the detection and prevention of fraud, business continuity and disaster recovery; (iii) undertaking internal research and development to develop, test, improve and alter the functionality of ScreenPal’s products and services; and (iv) administering ScreenPal’s relationship with the Customer under the Agreement, including invoicing and maintaining transaction records for accounting and tax reporting purposes.
“Customer Personal Data” means the Personal Data that ScreenPal Processes on behalf of the Customer in connection with the Services, as more particularly described in Annex 1.
“Data Subject” means a natural person to whom Personal Data relates.
“DPF” means the “DPF”, “EU-US Data Privacy Framework” or (where applicable) the “UK Extension to the EU-US Data Privacy Framework” and the “Swiss-US Data Privacy Framework”, in each case as defined in the relevant US Adequacy Decision.
“DPF List” means the “Data Privacy Framework List”, “DPF List” or equivalent term as defined in the applicable US Adequacy Decision.
“DPF Principles” means the “EU-US Data Privacy Framework Principles” or “Principles” as defined in the applicable US Adequacy Decision.
“European Data Protection Laws” means all applicable laws, rules, regulations and governmental requirements in the EEA, UK and Switzerland relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation) the GDPR and Swiss Data Protection Laws.
“Processor” shall mean an entity which Processes Personal Data on behalf of a Controller.
“Personal Data” means any information that: (a) relates to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, location data or online identifier; or (b) is otherwise “personal data” or “personal information” under the European Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
“Special Categories of Data” means the categories of Personal Data set out in Article 9(1) of the GDPR or, where applicable, “sensitive personal data” as defined in Article 5 of the FADP.
“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) EU 2021 / 914.
“Subprocessor” means a Processor engaged by another Processor to Process Personal Data.
“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP“) and the Swiss Data Protection Ordinance of 31 August 2022 (the “Ordinance“), and any new or revised version of these laws that may enter into force for time to time.
“UK” means the United Kingdom.
“US Adequacy Decisions” means: (a) the UK Data Protection (Adequacy) (United States of America) Regulations 2023; (b) Commission Implementing Decision C(2023) 4745 on the adequate level of protection of personal data under the EU-US Data Privacy Framework; and (c) a decision of the Swiss Federal Council with similar effect to (a) and (b) in respect of the Swiss-US Data Privacy Framework.
“Usage Data” means diagnostic, usage and performance information collected by ScreenPal in relation to the Customer’s and its authorized users’ use of the Services.
Applicability of DPA
Applicability. This DPA applies, is incorporated into and forms an integral part of the Agreement to the extent that: (i) European Data Protection Laws apply to the Customer’s Processing of Customer Personal Data; or (ii) the transfer of Customer Personal Data by Customer to ScreenPal is an “onward transfer” as defined in the Standard Contractual Clauses.
Roles and responsibilities
Roles of the Parties. The parties acknowledge that, as between ScreenPal and Customer, for the purposes of the European Data Protection Laws:
· other than in respect of ScreenPal’s Processing of Usage Data and Administration Data for the Controller Purposes, Customer acts as the Controller and ScreenPal acts as the Processor;
· ScreenPal acts as a Controller with respect to the Processing of Usage Data and Administration Data for the Controller Purposes;
Customer Processing of Customer Personal Data. Customer shall be responsible for:
· complying with European Data Protection Laws in respect of its use of the ScreenPal Service, its Processing of the Customer Personal Data, and any Processing instructions it issues to ScreenPal;
· ensuring it has, and will continue to have, the right to transfer, or provide access to, the Customer Personal Data to ScreenPal for Processing pursuant to the Agreement and this DPA; and
· ensuring that it shall not disclose (nor permit any data subject to disclose) any Special Categories of Data to ScreenPal for Processing.
ScreenPal’s Processing of Customer Personal Data. Other than in respect of its Processing of Usage Data and Administration Data for the Controller Purposes:
ScreenPal shall Process the Customer Personal Data for the purposes described in the Agreement and this DPA and in accordance with the lawful, documented instructions of Customer (including the instructions of any users accessing the Services on Customer’s behalf as set out in the Agreement); and ScreenPal may Process Customer Personal Data to the extent required under applicable law in effect in the EEA, UK or Switzerland, in which case ScreenPal shall notify the Customer of that requirement unless prohibited by such applicable law on important grounds of public interest.
Security
Security. ScreenPal shall implement appropriate technical and organizational measures to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (each a “Security Incident“). Without limiting the generality of the foregoing, ScreenPal shall put in place and maintain the technical and organizational measures a set out in Annex 2 of this DPA.
Confidentiality of Processing. ScreenPal shall ensure that any person that it authorizes to Process the Customer Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
Security Incidents. Upon becoming aware of a Security Incident, ScreenPal shall notify Customer without undue delay and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under the European Data Protection Laws. ScreenPal shall promptly take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident, to the extent such efforts are within ScreenPal’s reasonable control. ScreenPal’s notification of or response to a Security Incident shall not be construed as an acknowledgement by ScreenPal of any fault or liability with respect to the Security Incident.
Subprocessing
Subprocessors. Customer grants ScreenPal general authorization to engage the Authorised Subprocessors to Process Customer Personal Data on ScreenPal’s behalf, provided that:
- ScreenPal shall impose on such Subprocessors data protection terms that protect Customer Personal Data to the substantially similar standard provided for by this DPA; and
- ScreenPal shall remain liable for any breach of the DPA caused by an Authorized Subprocessor.
Changes to Subprocessors. ScreenPal shall notify Customer of any proposed changes to the Authorized Subprocessors by updating the list at https://ScreenPal.com/privacy/subprocessors at least thirty (30) days prior to any such change. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of the Customer Personal Data at any time prior to the change coming into effect. In such an event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then, ScreenPal, at its discretion, will either: (i) not appoint or replace the Subprocessor; or (ii) will permit Customer to suspend or terminate the Agreement on thirty (30) days written notice (without prejudice to any fees incurred by Customer prior to suspension or termination).
International transfers
Onward transfers. ScreenPal shall not transfer any Customer Personal Data to a recipient outside the UK, EEA or Switzerland unless:
· the recipient is in an Adequate Jurisdiction; or
· ScreenPal complies with the requirements of the DPF when making such transfer, including taking reasonable and appropriate steps to ensure that the recipient provides the same level of protection as the DPF Principles and notifies ScreenPal if it makes a determination that it can no longer meet this obligation; or
· the transfer is otherwise not prohibited under the European Data Protection Laws.
Transfers subject to the SCCs. To the extent that: (i) ScreenPal ceases to be listed as a participating organization in the applicable DPF List for the purposes of a US Adequacy Decision; or (ii) a US Adequacy Decision is repealed, withdrawn or otherwise does not apply to transfers of Customer Personal Data from Customer (as data exporter) to ScreenPal (as data importer), the parties agree that:
· the SCCs, as further set out in Annex 3, shall apply to such transfers and be deemed incorporated in this DPA;
· signature of this DPA shall have the same effect as signing the SCCs; and
· in the event of a conflict between any of the provisions of the SCCs and the remainder of this DPA, the provisions of the SCCs shall prevail.
Cooperation
Cooperation and data subjects’ rights. ScreenPal shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, to enable Customer to respond to requests from a Data Subject seeking to exercise their rights under the European Data Protection Laws.
Data Protection Impact Assessments. ScreenPal shall, to the extent required by European Data Protection Laws, provide Customer with commercially reasonable assistance needed to fulfil Customer’s obligation to carry out with data protection impact assessments or prior consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information. ScreenPal shall be entitled to claim for reasonable expenses incurred by ScreenPal as a result of providing such assistance to the Customer.
Disclosure to authorities. Customer acknowledges that ScreenPal may disclose the privacy provisions in this DPA and the Agreement to the US Department of Commerce, the Federal Trade Commission, a data protection authority in the EEA, UK or Switzerland, or any other applicable judicial or regulatory body upon their lawful request. ScreenPal shall use reasonable efforts to notify Customer of any request for disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by law or legally binding order of such body or agency.
Security reports and audits
Documentation. ScreenPal shall provide, upon Customer’s reasonable request, all information reasonably necessary to demonstrate ScreenPal’s compliance with this DPA.
Audits. ScreenPal shall permit the Customer (or its appointed third-party auditors) to carry out an audit of ScreenPal’s Processing of Customer Personal Data under the Agreement, provided that:
· such audits are conducted not more than once per year, unless more frequent audits are required by the Customer’s supervisory authority;
· Customer must give ScreenPal reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to ScreenPal’s operations;
· the parties agree on the scope of the audit in advance; and
· Customer shall be responsible for all costs incurred in connection with any such audits (including any reasonable costs incurred by ScreenPal in facilitating such audit) unless such audit is required as a direct result of ScreenPal’s breach of its obligations under this DPA and the Agreement.
Certifications and self-audits. ScreenPal may, in response to the Customer’s audit request:
· provide the Customer with any independent audit reports or data protection compliance certifications issued by a commonly accepted certification provider and obtained by ScreenPal in support of ScreenPal’s obligations under this DPA; or
· arrange for a qualified and independent auditor to conduct an audit of ScreenPal’s policies and technical and organizational measures in support of the obligations under this DPA using an appropriate and accepted control standard or framework and provide the report of such audit to Customer, and Customer agrees to accept any such audit reports or certifications provided by ScreenPal in place of conducting an audit.
Deletion / return of data
Term. This DPA shall commence on the Effective Date and, notwithstanding termination or expiry of the Agreement, will remain in effect until and automatically expire on ScreenPal’s deletion or anonymization of all Customer Personal Data.
Deletion or return of data: ScreenPal shall:
· if requested to do so by Customer within sixty (60) days of termination or expiry of the Agreement (the “Termination Retention Period“) provide Customer a copy of all Customer Personal Data Processed by ScreenPal as a Processor in such commonly used format as requested by Customer, or provide a self service functionality allowing Customer to download such Customer Personal Data; and
· on expiry of the Termination Retention Period, delete all copies of Customer Personal Data Processed by ScreenPal other than: (i) Customer Personal Data that ScreenPal is required to retain by applicable law or that is archived on backup systems (provided such Customer Personal Data is deleted as soon as reasonably practicable or permitted under applicable law); (ii) Administration Data and Usage Data Processed by ScreenPal for the Controller Purposes.
Miscellaneous
Except as amended by this DPA, the Agreement will remain in full force and effect.
Any claim brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
This DPA shall be governed by the same law as the Agreement.
ANNEX 1 – DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
A. List of Parties
|
|
Customer |
ScreenPal |
|
Role |
Data exporter (controller) |
Data importer (Processor) |
|
Contact person |
The administrator of the Customer’s account as notified to ScreenPal |
support@screenpal.com |
|
Activities relevant to the transfer |
The receipt of the Services under the Agreement. |
The performance of the Services under the Agreement. |
B. Description of Processing
|
Categories of Data Subjects |
· Employees, agents or other individuals authorized by the Customer to access and use the Services pursuant to the terms of the Agreement (“Authorized Users“) · Any other individuals featured in any Content uploaded by Customer and its Authorized Users to the Services (“Content Subjects“) · Individuals that view and interact with content uploaded to the Services by Authorized Users (“Content Viewers“) |
|
Categories of Personal Data |
Authorized Users · Name, email address, role at Customer; · Content uploaded to the Services (videos, images, comments, quiz answers); · Statistics relating to the performance of and interactions with content uploaded to the Services by the Authorized User (such as number of views); · Usage data relating to use of the Services, including IP address; and · Support request and communications sent to ScreenPal. Content Subjects · Information contained in content uploaded by Authorized Users to the Services Content Viewers · Information relating to the Content Viewer’s interaction with content uploaded by Authorized Users (date and time viewed, number of times viewed, comments in relation to the content, responses to questions and quizzes). |
|
Special categories of Personal Data |
None |
|
Frequency of the transfer |
Continuous |
|
Nature of the Processing |
Collection, storage, deletion, rectification, analysis and aggregation |
|
Purposes of the data transfer and further Processing |
The delivery of the Services, including: · Hosting and distribution of content created and/or uploaded by Authorized Users; · Provision of analytics and audience information relating to content created and/or uploaded by Authorized Users; · Resolving queries and support requests submitted by the Customer and its Authorized Users. |
|
Retention period |
For the duration of the Agreement, unless earlier deletion is requested or communicated by the Customer. |
|
Subprocessors |
As set out at https://ScreenPal.com/privacy/subprocessors |
ANNEX 2
Technical and Organizational Security Measures
NIST
ScreenPal follows the NIST Security Framework.
ScreenPal has committed management and dedicated staff to the design, implementation and operation of its information security program.
Access Control
Access Management Policy to control ScreenPal system components (i.e. cloud servers, applications, databases, etc.) and sensitive information (e.g. Personal Data) in the organization, including the framework and the principles for user provisioning. Role-based access controls allowing staff access to systems and data only on a need-to-know basis.
Segregation of duties and prior approval of all user accounts by ScreenPal based on data classification with ongoing review of user access permissions.
Awareness and Training
Mandatory training related to data privacy and security requirements for all employees responsible in whole or in part for design, production, development, operations and marketing of ScreenPal products. Such training will include all employees who are directly or peripherally involved in collection, use, storage, disclosure or any other handling of data.
Audit and Accountability
Includes policies, controls, and operational practices for proper auditing and accountability. ScreenPal continuously monitors its environment and centralizes its logs. Anomalies are investigated and prioritized on a continual basis.
Assessment, Authorization, and Monitoring
Auditing and assurance programs for all security and privacy policies conducted on a minimum annual review with quarterly security review meetings that include review of past audits. Ongoing vulnerability testing and annual penetration testing with managed mitigation.
Configuration Management
Policies, processes, and controls for configuration management including application development policy, change control process, data encryption and key management policy, asset handling procedures including cataloging and tracking of all physical and logical assets, and risk assessment methodology.
Contingency Planning
Formal business continuity and disaster recovery plan that includes data access and storage, continuity of use, and capacity management. Daily backups and service replication with continuous monitoring.
Identification and Authentication
Policies and operational procedures for appropriate identification and authentication to include unique employee identity, single-sign-on and MFA controls based on system access, formal password policies, and secure storage of credentials. Ongoing reviews of employee access and associated controls.
Incident Response
Incident Response Management Plan to bring needed resources together in an organized manner to deal with an adverse event related to the safety and security of ScreenPal’s Business & Information Assets, including a malicious code attack, unauthorized access to organizational systems, unauthorized utilization of organization services in denial of service attacks, general misuse of systems, or hoaxes.
Maintenance
Formal and operational procedures for continuous monitoring of infrastructure and software, including third party monitoring.
Media Protection
Policies, controls and operational procedures for the protection of customer data stored on media, including industry standard encryption at rest. Use of trusted third party services (eg AWS) for storage and security services.
Physical and Environmental Protection
ScreenPal is a virtual company and customer data is maintained with ScreenPal sub-processors with the main cloud infrastructure on AWS. AWS has strict policies for physical access to any equipment or systems that store ScreenPal customer data and industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS 70 and/or SSAE 16) and SOC 2 audit reports. Their services and data centers have multiple layers of operational and physical security.
Planning
Policies and operational procedures including formally documented quarterly security and access reviews, monitoring of regulatory compliance, and audits/updates to formal security documentation.
Program Management
Dedicated security staff to maintain and update the ScreenPal security program, including policies, controls and operational procedures. Including risk assessment, formal documentation, monitoring mitigation and training with appropriate executive management approvals.
Personnel Security
Formal policies, controls and operational procedures which include appropriate background checks for all employees, onboarding including confidentiality and acknowledgement of policies, annual training, offboarding checklists that address removal of access.
Risk Assessment
Annual risk assessment process identifying major strategic developments in the industry, emerging threats, & vulnerabilities, to ScreenPal business and IT assets, and report results in a formal risk assessment document.
Standard Risk assessment methodologies include but are not limited to NIST SP 800-30.
System and Services Acquisition
Formal software development policy, change management process, and patch management policy with test automation and peer review. Agile development methodology includes rapid response to critical incidents and associated escalation processes. Monitoring and control of any third party components.
System and Communications Protection
ScreenPal maintains reasonable security measures to help protect customer information from loss, destruction, misuse, unauthorized access or disclosure. For example, in accordance with applicable law, Personal Data is encrypted in transit (eg TLS1.2 or later) and at rest (eg AES-256). These security measures can include, but are not limited to, password protection, need-based access, firewall and encryption, employee training, and other such mechanisms. Our security team periodically reviews our information storage and security practices and updates our policies and practices as needed to address changing technologies and known threats.
System and Information Integrity
ScreenPal maintains strict separation of production and non-production environments so that customer data is only stored in a production environment and access to customer data by staff is controlled. Data destruction follows regulatory requirements and ensures that data is permanently destroyed and not recoverable. Continuous vulnerability scanning and system monitoring is implemented with appropriate mitigation.
Supply Chain Risk Management
ScreenPal will ensure proper organization and management of information security control measures which are based on information security risks, are in place to address security risk related to organizational sensitive information when shared with a third party or accessed by contractors. This includes a third party risk management assessment and annual review.
ANNEX 3
EU SCCS
The Standard Contractual Clauses will apply to any Processing of Customer Personal Data as set out in the section headed “International Transfers” above. For the purposes of the Standard Contractual Clauses:
· Module Two (controller to processor) shall apply.
· Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
· Option 2 of Clause 9(a) (General written authorization) is selected, and the time period to be specified is as set out in the section headed “Changes to Subprocessors” above.
· The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
· With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 will apply and the governing law will be the law of Ireland.
· In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
· For the purpose of Annex I.A and Annex I.B of the Standard Contractual Clauses, Annex 1 of the DPA contains details of the parties and the description of transfer.
· For the purpose of Annex I.C. of the Standard Contractual Clauses, the competent supervisory authority shall be the Irish Data Protection Commissioner.
· For the Purpose of Annex II of the Standard Contractual Clauses, Annex 2 of the DPA contains the technical and organizational measures.
UK Addendum
This “UK Addendum” shall apply to any transfer of Customer Personal Data from the Customer (as data exporter) to ScreenPal (as data importer) under the section headed “International Transfers” above to the extent that: (i) the UK Data Protection Laws apply to the Customer when making that transfer; or (ii) the transfer is an “onward transfer” as defined in the Approved Addendum (each a “UK Transfer“).
As used in this UK Addendum:
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
“UK Data Protection Laws” means all laws relating to data protection, the Processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
The Approved Addendum will form part of this DPA with respect to any UK Transfer, and execution of this DPA shall have the same effect as signing the Approved Addendum.
The Approved Addendum shall be deemed completed as follows:
· the “Addendum EU SCCs” shall refer to the Standard Contractual Clauses as they are incorporated into, and applied to transfers of Personal Data between the Parties as set out in section headed “International Transfers” above and this Annex 3;
· Table 1 of the Approved Addendum shall be completed with the details in Annex 1;
· the “Appendix Information” shall refer to the information set out in Annex 1 and Annex 2;
for the purposes of Table 4 of the Approved Addendum, ScreenPal (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum;
Section 16 of the Approved Addendum does not apply.
Swiss addendum
This Swiss Addendum will apply to any Processing of Customer Personal Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.
Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
“Addendum” means this addendum to the Clauses;
“Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with the section headed “International Transfers” above and as further specified in this Annex 3; and
“FDPIC” means the Federal Data Protection and Information Commissioner.
This Addendum will be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that if fulfils the parties’ obligation under Article 16(2)(d) of the FADP.
This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
· for transfers made by the Customer to ScreenPal, to the extent that Swiss Data Protection Laws apply to the Customer’s Processing when making that transfer; and
· as standard data protection clauses approved, issued or recognized by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects will prevail.
Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
To the extent that the Customer’s Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from Customer to ScreenPal under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph) the following amendments are made to the Clauses:
· References to the “Clauses” or the “Standard Contractual Clauses” mean this Swiss Addendum as it amends the Standard Contractual Clauses.
· Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Annex 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.“
· References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
· References to Regulation (EU) 2018/1725 are removed.
· References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
· Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;
· Clause 17 is replaced to state
“These Clauses are governed by the laws of Switzerland”.
· Clause 18 is replaced to state:
“Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
To the extent that the Customer’s Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from the Customer to ScreenPal under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by this Addendum:
· For the purposes of Clause 13(a) and Part C of Annex I:
o the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the Customer’s Processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by this Addendum; and
o subject to the provisions of the UK Addendum, the supervisory authority identified in Annex 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the Customer’s processing, or such transfer is an “onward transfer” as defined in the Clauses.
· The terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.
